Backdoor.Win32.Farfli_c02f0327c1
Trojan.Win32.Patched.md (Kaspersky), Virus.Win32.Ramnit.a!dam (v) (VIPRE), Virus.Win32.Zbot!IK (Emsisoft), Backdoor.Win32.Farfli.FD, PackedMysticCompressor.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Virus, Packed
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
MD5: c02f0327c1b5c8c5c1f04b35c6cf77bc
SHA1: 901890b97450e5db69e47781dc9dc8207c9ded1a
SHA256: a653c143ead7fbe48b373b4089d1a6fc7a8fdbc3a01d553662188240f92f9cf0
SSDeep: 3072:c34d2ECsZLqgMORHs1ZKjmQ7LjYT S2r87FxS0jLsaUDq:aNHFOtMKjfjYT SO85xSssaQq
Size: 125402 bytes
File type: PE32
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Jottix
Created at: 2008-12-20 18:44:25
Summary:
Backdoor. Malware that enables a remote control of victim's machine.
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
c02f0327c1b5c8c5c1f04b35c6cf77bcmgr.exe:2756
c02f0327c1b5c8c5c1f04b35c6cf77bc.exe:2588
ajvmmkjkbtsibwto.exe:1792
ctfmon.exe:252
The Backdoor injects its code into the following process(es):
winupdate86.exe:2800
File activity
The process c02f0327c1b5c8c5c1f04b35c6cf77bcmgr.exe:2756 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ajvmmkjkbtsibwto.exe (601 bytes)
The process winupdate86.exe:2800 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%System%\config\software (5764 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\winupdate86mgr.exe (103 bytes)
%System%\winlogon86.exe (601 bytes)
%System%\config\software.LOG (9152 bytes)
The Backdoor deletes the following file(s):
%System%\winupdate86.exe (0 bytes)
The process c02f0327c1b5c8c5c1f04b35c6cf77bc.exe:2588 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%System%\config\software (5226 bytes)
%System%\config\software.LOG (10144 bytes)
%System%\winlogon86.exe (601 bytes)
%System%\winupdate86.exe (601 bytes)
The process ajvmmkjkbtsibwto.exe:1792 makes changes in a file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\psyykfdm.sys (15 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\psyykfdm.sys (0 bytes)
Registry activity
The process c02f0327c1b5c8c5c1f04b35c6cf77bcmgr.exe:2756 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B F5 AC 1E 6F 1A 52 9D 45 A1 EB 19 61 A6 ED 82"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f3-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{773a730e-74fb-11e2-b597-000c293bdf2f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"ajvmmkjkbtsibwto.exe" = "Common File Format Explorer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f2-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fdd9f6f5-7454-11e2-b4cd-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The process winupdate86.exe:2800 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 3B 43 16 38 69 77 2D F9 D5 95 5F 18 63 06 A8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit" = "%System%\winlogon86.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software]
"8636065b-fef0-4255-b14f-54639f7900a4" = "8636065b-fef0-4255-b14f-54639f7900a4"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winupdate86.exe" = "%System%\winupdate86.exe"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
The process c02f0327c1b5c8c5c1f04b35c6cf77bc.exe:2588 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit" = "%System%\winlogon86.exe"
To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winupdate86.exe" = "%System%\winupdate86.exe"
The process ajvmmkjkbtsibwto.exe:1792 makes changes in a system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 07 83 CD DE C9 17 06 EA 5B 68 A5 C3 B4 FE 70"
The process ctfmon.exe:252 makes changes in a system registry.
The Backdoor deletes the following value(s) in system registry:
The Backdoor disables automatic startup of the application by deleting the following autorun value:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"
Network activity (URLs)
| URL | IP |
|---|---|
| baywsfsemlttpsj.com |  208.73.211.250 |
| celnjqtqkgxsccabmj.com | 208.73.211.250 |
| kbchmynenfcuktfxa.com |  Unresolvable |
| xablgjgqpfayxcoan.com | Unresolvable |
| gwqqcthftcngyt.com | Unresolvable |
| roukwtmdvelyea.com | Unresolvable |
| mevofemqreinlirk.com | Unresolvable |
| ksdrwalv.com | Unresolvable |
| irgpjqkcojxabjs.com | Unresolvable |
| vusiqdyp.com | Unresolvable |
| guvdavhwoylcb.com | Unresolvable |
| iwtkdxsmu.com | Unresolvable |
| qtlmbubna.com | Unresolvable |
| uxasdaxjiqrk.com | Unresolvable |
| aalhoqwtompx.com | Unresolvable |
| jdonpdfvw.com | Unresolvable |
| qisgxhcl.com | Unresolvable |
| vyhxatulmuaxvexjv.com | Unresolvable |
| psnylopyt.com | Unresolvable |
| wwwlridhcphwak.com | Unresolvable |
| bxqvcimgcaepkubgi.com | Unresolvable |
| oijkhgcahdwyixo.com | Unresolvable |
| hwgcksenffubhwqmdal.com | Unresolvable |
| ocjsqbqoyjlavan.com | Unresolvable |
| udauindm.com | Unresolvable |
| dwerjnnkpfbmdfeuwby.com | Unresolvable |
| fdijucnvsfvpel.com | Unresolvable |
| waoimlpgtvdsqx.com | Unresolvable |
| hmuhvsjjl.com | Unresolvable |
| vajskiyluwh.com | Unresolvable |
| rntqtgcqnc.com | Unresolvable |
| uvptsjqdvxkjsca.com | Unresolvable |
| xlpmvmcaoppokdcldc.com | Unresolvable |
| lnwdxoqoqxtxxdgs.com | Unresolvable |
| uoctajwdjlqltbf.com | Unresolvable |
| ruvbymubogvlllkyaji.com | Unresolvable |
| uqlmkgtnofmabnpwhj.com | Unresolvable |
| fboymydk.com | Unresolvable |
| musdeyejbcbkse.com | Unresolvable |
| vuhvdkvo.com | Unresolvable |
| pgtbvvjadweh.com | Unresolvable |
| gyaxrikstdwtkai.com | Unresolvable |
| rubyscoeicm.com | Unresolvable |
| aqjwtguuxc.com | Unresolvable |
| fmxkhwlbsvjic.com | Unresolvable |
| pbbvkscdfqmx.com | Unresolvable |
| wodrfdxakskqdurgg.com | Unresolvable |
| yxqcwilaughqrxxhuv.com | Unresolvable |
| bxnopdkka.com | Unresolvable |
| wybypnnefwrnijmr.com | Unresolvable |
| adhymefcryqjfsg.com | Unresolvable |
| ktfejmafpmubmis.com | Unresolvable |
| vhhbenjngfkdqqrxyef.com | Unresolvable |
| pkfrnnsvab.com | Unresolvable |
| ysvsagwfr.com | Unresolvable |
| irypcpym.com | Unresolvable |
| rdxcvejik.com | Unresolvable |
| bnduajijjnyjowost.com | Unresolvable |
| hvkhytpydqm.com | Unresolvable |
| ukpamxcqknbrwtxeon.com | Unresolvable |
| aqyycusxpiyphgqt.com | Unresolvable |
| dajxhcddxoyp.com | Unresolvable |
| ujyprlpoxwwshj.com | Unresolvable |
| jltqngrgikawpnoji.com | Unresolvable |
| ssvducwu.com | Unresolvable |
| picaqhesd.com | Unresolvable |
| rnxlvwchep.com | Unresolvable |
| jkvkigmtstgh.com | Unresolvable |
| vytiwhwdomibkisctq.com | Unresolvable |
| qlpuekmxibf.com | Unresolvable |
| dusxnqcoykl.com | Unresolvable |
| mnnbfmkccrlacrpi.com | Unresolvable |
| eelepdsrwmggiilpaq.com | Unresolvable |
| djtftjakyiqfn.com | Unresolvable |
| tfudlnro.com | Unresolvable |
| rjdirngskatrtg.com | Unresolvable |
| twcdgtvl.com | Unresolvable |
| epwbonwkmcvjunodvf.com | Unresolvable |
| jsrdpgvmu.com | Unresolvable |
| nrfronglu.com | Unresolvable |
| gflyifvtyuarn.com | Unresolvable |
| emwdrbwapescxix.com | Unresolvable |
| pchlbfwusr.com | Unresolvable |
| exjijcjhjlatkplnfol.com | Unresolvable |
| vsmtiytrcacrgcj.com | Unresolvable |
| gswcjhdhgkjnvkent.com | Unresolvable |
| nwynfhre.com | Unresolvable |
| xwbjkvtdmufmf.com | Unresolvable |
| vixqwtroi.com | Unresolvable |
| mmfahqrmftuu.com | Unresolvable |
| ckbytyyandmpgyuojl.com | Unresolvable |
| gfyysdjdftm.com | Unresolvable |
| ptddbyopodpanxbu.com | Unresolvable |
| slkfbshuoru.com | Unresolvable |
| jstxomkn.com | Unresolvable |
| squstnyywumup.com | Unresolvable |
| ddeqsgsws.com | Unresolvable |
| mrtksmcwd.com | Unresolvable |
| rwptujecxf.com | Unresolvable |
| fbbntdkljkvb.com | Unresolvable |
| cwpppiblxarfcmqoym.com | Unresolvable |
| ruiwjxtgflljp.com | Unresolvable |
| hbuqmyrrpoqmybl.com | Unresolvable |
| qhlhsaytjeaorx.com | Unresolvable |
| cugxojvumi.com | Unresolvable |
| wcbpdfpgwffjs.com | Unresolvable |
| vupepgfagso.com | Unresolvable |
| mvtaudrockn.com | Unresolvable |
| hqepovopfoskaf.com | Unresolvable |
| uxvbhdtbhth.com | Unresolvable |
| kegnvjtiowifoavcb.com | Unresolvable |
| epwnqeghafyocr.com | Unresolvable |
| kpsfabxdwbvv.com | Unresolvable |
| andeyvgrdmcuhdmwkd.com | Unresolvable |
| amhqfywanwiip.com | Unresolvable |
| fkdrsgjjroodh.com | Unresolvable |
Rootkit activity
The Backdoor installs the following kernel-mode hooks:
ZwCreateKey
ZwOpenKey
Propagation
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
c02f0327c1b5c8c5c1f04b35c6cf77bcmgr.exe:2756
c02f0327c1b5c8c5c1f04b35c6cf77bc.exe:2588
ajvmmkjkbtsibwto.exe:1792 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temp\ajvmmkjkbtsibwto.exe (601 bytes)
%System%\config\software (5764 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\winupdate86mgr.exe (103 bytes)
%System%\winlogon86.exe (601 bytes)
%System%\config\software.LOG (9152 bytes)
%System%\winupdate86.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\psyykfdm.sys (15 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winupdate86.exe" = "%System%\winupdate86.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
